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What is Claimed is: 

1 . A method for detecting an inconsistent data structure comprising: 
receiving a specification describing at least one consistency constraint of a data 
5 structure; and 

dynamically determining during execution of a program whether said data 
structure violates said at least one consistency constraint. 

10 2. The method of Claim 1, wherein said specification comprises at least one 

logical formula. 

3. The method of Claim 2, wherein said specification includes at least one 
consistency constraint expressed in terms of said data structure. 

15 

4. The method of Claim 3, wherein, prior to dynamically determining whether 
said data structure violates said at least one consistency constraint, it is determined 
whether repairing the data structure according to the at least one consistency constraint 
will terminate. 

20 

5. The method of Claim 3, wherein said specification includes a 
description of said data structure. 

6. The method of Claim 4, wherein said specification includes a 
25 description of said data structure. 

7. The method of Claim 1, further comprising: 
representing said data structure as an abstract model; and 
determining consistency constraint violations of said abstract model. 

30 
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8. The method of Claim 7, wherein said specification includes a description of 
said data structure. 

9. The method of Claim 8, wherein said specification includes an 
5 abstract model definition. 

10. The method of Claim 9, wherein said specification includes an 
internal constraint in terms of said abstract model definition. 

10 11. The method of Claim 10, further comprising: 

determining if said internal constraint is violated in accordance with an evaluation 
of said internal constraint. 

12. The method of Claim 11, wherein said specification includes 

1 5 at least one external constraint mapping elements of said abstract model to elements of 
said data structure. 

13. The method of Claim 10, wherein said description of said abstract model 
includes at least one model definition rule and at least one declaration for one of: a set 

20 and a relation, said at least one model definition rule representing an element of said data 
structure in at least one of a set and a relation. 

14. The method of Claim 13, wherein said specification includes 

at least one external constraint mapping elements of said abstract model to elements of 
25 said data structure. 

15. The method of Claim 1, wherein said dynamically determining is performed 
in response to at least one of: an explicit call and a transfer of control to an error handler. 
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16. The method of Claim 13, wherein, prior to dynamically determining whether 
said data structure violates said at least one consistency constraint, it is determined 
whether construction of said abstract model will terminate. 

5 17. The method of Claim 16, wherein, prior to dynamically determining whether 

said data structure violates said at least one consistency constraint, it is determined 
whether said at least one model definition rule has cyclic dependencies which involve 
negation operators. 

10 18. The method of Claim 17, wherein said at least one model definition rule is of 

the form: quantifier, Q, guard, G, and an inclusion constraint, I, and the method further 
comprising: 

translating each guard of each of said at least one model definition rule into 
disjunction normal form including a logical ORing of conjunctions, each of said 

1 5 conjunctions including one or more predicates; 

constructing a graph representing said at least one model definition rule, said 
graph including a node for each model definition rule, a normal edge from a first rule to a 
second rule if the inclusion constraint for the first rule uses a set or relation which is also 
used in a guard of the second rule or a quantifier of the second rule, a negated edge from 

20 the first rule to the second rule if the inclusion constraint for the first rule uses a set or a 
relation which is negated in connection with one of a set or relation of the second rule's 
guard; and 

determining if there are any cycles in said graph with negated edges. 

25 19. The method of Claim 8, wherein, prior to dynamically determining whether 

said data structure violates said at least one consistency constraint, it is determined 
whether repairing said internal constraints will terminate. 
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20. The method of Claim 1, further comprising: 

determining whether a memory reference in connection with said data structure is 
valid in accordance with currently allocated memory of said program. 

21. The method of Claim 1, further comprising: 

repairing said data structure if said data structure violates said at least one 
consistency constraint. 

22. A method of dynamically repairing an inconsistent data structure during 
program execution comprising: 

receiving at least one inconsistency violation; 

selecting a repair to correct said at least one inconsistency violation; and 
repairing said inconsistent data structure. 

23. The method of Claim 22, further comprising: 
resuming execution of said program. 

24. The method of Claim 22, further comprising: 
performing said repair and satisfying said consistency constraint. 

25. The method of Claim 22, wherein said inconsistent data structure is 
represented in an abstract model, and the method comprising: 

repairing said abstract model in accordance with an internal consistency 
constraint; and 

applying a repair to the inconsistent data structure in accordance with an external 
constraint translating said repair from said abstract model to said inconsistent data 
structure. 

26. The method of Claim 22, further comprising: 
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repairing said inconsistent data structure in accordance with an internal 
consistency constraint. 

27. The method of Claim 22, further comprising: 

selecting a repair from a plurality of repairs in accordance with a cost associated 
with each repair. 

28. The method of Claim 27, wherein said cost is user specified. 

29. The method of Claim 27, wherein said inconsistency violation includes a 
plurality of conditions, and the method further comprising: 

determining which of said plurality of conditions are true; and 
determining a cost for repairing said inconsistency violation in accordance with 
those conditions that are not true. 

30. A method of handling an invalid memory reference comprising: 
determining whether a memory reference associated with an operation is invalid; 

and 

if said memory reference is invalid, performing a substitute action selected in 
accordance with said operation in place of performing said operation. 

3 1 . The method of Claim 30, further comprising: 

if said memory reference is associated with a read operation, supplying a default 
value as a result of performing said read operation; and 

if said memory reference is associated with a write operation, disregarding said 
write operation. 

32. The method of Claim 31, wherein at least one invalid read 
operation has a different default value than at least one other invalid read operation. 
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33. The method of Claim 30, wherein said invalid memory access is determined 
during execution of said program. 

34. The method of Claim 31, wherein said determining is performed in 
accordance with memory allocations associated with a program execution. 

35. The method of Claim 34, further comprising: 

evaluating said memory reference prior to attempting to access a portion of 
memory. 

36. The method of Claim 35, wherein at least one of said read operation and said 
write operation uses one of: a pointer access, and an array element for said memory 
reference. 

37. The method of Claim 36, wherein a program having an invalid memory 
reference continues execution following execution of said substitute action. 

38. The method of Claim 32, wherein a program having an invalid memory 
reference continues execution following execution of said substitute action. 
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39. A computer program product that detects an inconsistent data structure 
comprising executable code that: 

receives a specification describing at least one consistency constraint of a data 
structure; and 

5 dynamically determines during execution of a program whether said data structure 

violates said at least one consistency constraint. 

40. The computer program product of Claim 39, wherein said specification 
10 comprises at least one logical formula. 

41 . The computer program product of Claim 40, wherein said specification 
includes at least one consistency constraint expressed in terms of said data structure. 

15 42. The computer program product of Claim 41 , further comprising executable 

code that, prior to dynamically determining whether said data structure violates said at 
least one consistency constraint, determines whether repairing the data structure 
according to the at least one consistency constraint will terminate. 

20 43. The computer program product of Claim 41, wherein said specification 

includes a description of said data structure. 

44. The computer program product of Claim 42, wherein said specification 
includes a description of said data structure. 

25 

45. The computer program product of Claim 39, further comprising executable 
code that: 

represents said data structure as an abstract model; and 
determines consistency constraint violations of said abstract model. 
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46. The computer program product of Claim 45, wherein said specification 
includes a description of said data structure. 

47. The computer program product of Claim 46, wherein said specification 
5 includes an abstract model definition. 

48. The computer program product of Claim 47, wherein said specification 
includes an internal constraint in terms of said abstract model definition. 

10 49. The computer program product of Claim 48, further comprising executable 

code that: 

determines if said internal constraint is violated in accordance with an evaluation 
of said internal constraint. 



15 50. The computer program product of Claim 49, wherein said specification 

includes at least one external constraint mapping elements of said abstract model to 
elements of said data structure. 



51 . The computer program product of Claim 48, wherein said description of said 
20 abstract model includes at least one model definition rule and at least one declaration for 
one of: a set and a relation, said at least one model definition rule representing an element 
of said data structure in at least one of a set and a relation. 



52. The computer program product of Claim 51, wherein said specification 
25 includes at least one external constraint mapping elements of said abstract model to 

elements of said data structure. 

53. The computer program product of Claim 39, wherein said executable code 
that dynamically determines is responsive to at least one of: an explicit call and a transfer 

30 of control to an error handler. 
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54. The computer program product of Claim 51, further comprising executable 
code that, prior to dynamically determining whether said data structure violates said at 
least one consistency constraint, determines whether construction of said abstract model 

5 will terminate. 

55. The computer program product of Claim 54, further comprising executable 
code that, prior to dynamically determining whether said data structure violates said at 
least one consistency constraint, determines whether said at least one model definition 

10 rule has cyclic dependencies which involve negation operators. 

56. The computer program product of Claim 55, wherein said at least one model 
definition rule is of the form: quantifier, Q, guard, G, and an inclusion constraint, I, and 
the computer program product further comprising executable code that: 

15 translates each guard of each of said at least one model definition rule into 

disjunction normal form including a logical ORing of conjunctions, each of said 
conjunctions including one or more predicates; 

constructs a graph representing said at least one model definition rule, said graph 
including a node for each model definition rule, a normal edge from a first rule to a 

20 second rule if the inclusion constraint for the first rule uses a set or relation which is also 
used in a guard of the second rule or a quantifier of the second rule, a negated edge from 
the first rule to the second rule if the inclusion constraint for the first rule uses a set or a 
relation which is negated in connection with one of a set or relation of the second rule's 
guard; and 

25 determines if there are any cycles in said graph with negated edges. 

57. The computer program product of Claim 46, further comprising executable 
code that, prior to dynamically determining whether said data structure violates said at 
least one consistency constraint, determines whether repairing said internal constraints 

30 will terminate. 
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58. The computer program product of Claim 39, further comprising executable 
code that: 

5 determines whether a memory reference in connection with said data structure is 

valid in accordance with currently allocated memory of said program. 

59. The computer program product of Claim 39, further comprising executable 
code that: 

10 repairs said data structure if said data structure violates said at least one 

consistency constraint. 

60. A computer program product that dynamically repairs an inconsistent data 
structure during program execution comprising executable code that: 

1 5 receives at least one inconsistency violation; 

selects a repair to correct said at least one inconsistency violation; and 
repairs said inconsistent data structure. 

61. The computer program product of Claim 60, further comprising executable 
20 code that: 

resumes execution of said program. 

62. The computer program product of Claim 60, further comprising executable 
code that performs said repair and satisfies said at least one consistency constraint. 

25 

63. The computer program product of Claim 60, wherein said inconsistent data 
structure is represented in an abstract model, and the computer program product 
comprising executable code that: 

repairs said abstract model in accordance with an internal consistency constraint; 

30 and 
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applies a repair to the inconsistent data structure in accordance with an external 
constraint translating said repair from said abstract model to said inconsistent data 
structure. 

64. The computer program product of Claim 60, further comprising executable 
code that: 

repairs said inconsistent data structure in accordance with an internal consistency 
constraint. 

65. The computer program product of Claim 60, further comprising executable 
code that: 

selects a repair from a plurality of repairs in accordance with a cost associated 
with each repair. 

66. The computer program product of Claim 65, wherein said cost is user 
specified. 

67. The computer program product of Claim 65, wherein said inconsistency 
violation includes a plurality of conditions, and the computer program product further 
comprising executable code that: 

determines which of said plurality of conditions are true; and 
determines a cost for repairing said inconsistency violation in accordance with 
those conditions that are not true. 

68. A computer program product that handles an invalid memory reference 
comprising executable code that: 

determines whether a memory reference associated with an operation is invalid; 

and 

if said memory reference is invalid, performs a substitute action selected in 
accordance with said operation in place of performing said operation. 
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69. The computer program product of Claim 68, further comprising executable 
code that: 

if said memory reference is associated with a read operation, supplies a default 
value as a result of performing said read operation; and 

if said memory reference is associated with a write operation, disregards said 
write operation. 

70. The computer program product of Claim 69, wherein at least one invalid read 
operation has a different default value than at least one other invalid read operation. 

71. The computer program product of Claim 68, wherein said invalid memory 
access is determined during execution of said program. 

72. The computer program product of Claim 69, wherein said executable code 
that determines is performed in accordance with memory allocations associated with a 
program execution. 

73. The computer program product of Claim 72, further comprising executable 
code that: 

evaluates said memory reference prior to attempting to access a portion of 
memory. 

74. The computer program product of Claim 73, wherein at least one of said read 
operation and said write operation uses one of: a pointer access, and an array element for 
said memory reference. 

75. The computer program product of Claim 73, wherein a program having an 
invalid memory reference continues execution following execution of said substitute 
action. 
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76. The computer program product of Claim 70, wherein a program having an 
invalid memory reference continues execution following execution of said substitute 
action. 
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